Security experts hit out at Google over refusal to patch Android security flaw exploited by ransomware

Google has been criticised by security experts for failing to take action on a security flaw behind three-quarters of the ransomware on the Android platform.

The security flaw, highlighted by Check Point Software in a report last week, was introduced with Android Marshmallow, introduced in October 2015. The permissioning flaw enables attackers to display an app over a user’s device, without notifying the user. Check Point claims that it has been so widely exploited that three-quarters of Android ransomware and 14 per cent of the banking malware present on the banking platform now exploit the flaw.

However, Google is refusing to patch the flaw. Instead, it claims that it will be fixed with the next big release of Android in the autumn – and that it won’t create a security patch for any other versions of Android either.

Google’s own vulnerability-hunting team has no qualms about highlighting the security holes in other vendors’ products – Graham Cluley

“The newly uncovered ‘dangerous’ permissions flaw is a bad vulnerability indeed. It opens the door to malware installation on a range of Android devices. Google seem to be taking a chance especially in the wake of the WannaCry attacks by delaying a rollout to customers,” Dr Kevin Curran, senior member of the IEEE and professor of cybersecurity at Ulster University, told Computing.

He pointed that Google has already made a corporate decision to abandon versions Android 4.4, also known as KitKat, which was only released less than four years ago – in contrast to the 13 years of extended support Microsoft provided for Windows XP. Even unpopular Windows Vista enjoyed extended support for 11 years.

“Google’s own vulnerability-hunting team has no qualms about highlighting the security holes in other vendors’ products, and pressuring for them to be fixed quickly. It seems odd that they would be so tardy about flaws in their own software,” said security expert Graham Cluley.

Even when Google rollout an update for this latest flaw, unfortunately only a portion of users will get it – Dr Kevin Curran, professor of cybersecurity at Ulster University

Google’s problem, continued Curran, is compounded by both the fragmented nature of the Android eco-system, as well as the inadequacies of the infrastructure for providing updates and patches to end users – only users of Google Nexus and Pixel phones, as well as BlackBerry Android devices, typically received regular updates.

“So even when Google rollout an update for this latest flaw, unfortunately only a portion of users will get it. Hence, we will see more malware authors turning to Android,” added Curran.

Cluley agrees: “The galling truth is that even after they patch this Android security flaw chances are that many Android users will find the patch is simply unavailable to them, because of the knotted mess that is Android’s updating infrastructure,” he told Computing.

Kevin Epstein, vice president of the Threat Operations Centre for Proofpoint, suggested that organisations ought to take their own measures to protect themselves from such threats: “Best practice for organisations is to implement secondary layers of defence that examine what apps users have allowed to run on their devices so that IT can provide additional warnings or remove apps appropriately.”